"Nurin Almas" <[EMAIL PROTECTED]> > Does anyone know how to 'lock' each smart card to a particular > UserID? Currenlty, my sunray users can use ANY registered smart > cards to login using their userid/password. > > The objective is for the user to be able to ONLY use the one smart > card issued to him/her to log in to sunray, and not anybody else's. > The system should block login attempts by users trying to access > sunray using somebody else's card.
SRSS itself doesn't provide any way to do this. There are a couple of ways you can do it yourself. The easiest is to perform a post-login check that compares the username against the Sun Ray token and terminates the login if they don't match. You can do this by creating a local version of the dtlogin Xstartup script, see 'man dtlogin' for details. A much better way to do it is to write a PAM module that either provides the username for a given smartcard, or verifies that the username typed in by the user is the correct one for the card. Unfortunately this is far more difficult than running a script. If you're running SRSS 3.0 then sometime in the next month or so you should be able to download an experimental package that contains the source for a PAM module that can do a number of things along these lines, including redirecting sessions to different servers. I think it also lets you force a specific username for a given smartcard, but even if it doesn't it'd be a good thing to use as the basis for your own PAM module. OttoM. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
